~/Tcpdump Filters for Specific TCP and IP Flags and Fields

Jun 9, 2019

This article provides concise tcpdump commands to filter packets using specific TCP or IP flags and header values.

To capture TCP packets by flags:

None set
tcpdump 'tcp[tcpflags] = 0x00'

SYN and ACK set
tcpdump 'tcp[tcpflags] = 0x12'

SYN and RST set
tcpdump 'tcp[tcpflags] = 0x14'

SYN and FIN set
tcpdump 'tcp[tcpflags] = 0x11'

PSH and ACK set
tcpdump 'tcp[tcpflags] = 0x18'

To filter IP packets by fragment offset:

Specific IP fragment offset
tcpdump 'ip[6:2] & 0x1fff != 0'

To match a specific IP TTL:

Specific TTL, e.g., 128
tcpdump 'ip[8] = 128'

To filter on IP DSCP:

Specific DSCP value
tcpdump 'ip[1] & 0xfc >> 2 = 46'

To filter by IP ECN:

Specific ECN, e.g., value 3
tcpdump 'ip[1] & 0x03 = 3'

To capture traffic with a specific TCP sequence number:

Sequence value 12345678
tcpdump 'tcp[4:4] = 12345678'

To capture by acknowledgment number:

Ack number 87654321
tcpdump 'tcp[8:4] = 87654321'

To filter by TCP source port range:

Source port above 1023
tcpdump 'tcp[0:2] > 1023 and tcp[0:2] < 65536'

To filter by TCP destination port range:

Destination port above 1023
tcpdump 'tcp[2:2] > 1023 and tcp[2:2] < 65536'

Review the tcpdump filter syntax for more filter examples.